Re: OpenLDAP issues when connecting over SSL

["Jean-Yves Avenard" <jyavenard@gmail.com>]

Hi

On 1/22/07, S Kalyanasundaram <skalyanasundaram@novell.com> wrote:

> I am about to ask this one. I am googling for help to configure openldap with TLS.
> And my client program should use ldap_start_tls_s for connection but with no certificate.
> Any help is appreciated ,

> From what I've been able to gather...

First, to establish a SSL/TLS connection, you must have a certificate,
you can't do without one. Now you may very well not check the validity
of the certificate.
If you want your ldap client to no check the validity of the
certificate, you use the following option in ldap.conf:
TLS_REQCERT never
the default is demand for the client
The default for the openldap server is to NOT check the client
certificate. You can change this behaviour with TLSVerifyClient in
slapd.conf
it's all explained there:
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html

To force a specific level of encryption you use the option in slapd.conf:
security ssf=n update_ssf=n

Where n is the number of bits used in the encryption. ssf is for
accessing the ldap (value of 0 is no protection at all), update_ssf is
used for updating the database (add, delete, modify etc...)
I found some explanation there:
http://www.openldap.org/doc/admin23/security.html (stuff there needs
to be checked , I found that many options aren't valid with my version
of openldap 2.3.33

Jean-Yves